Understanding the Personal Data Protection Act
People around the world are growing increasingly concerned about the collection and use of their personal, private information, and governments have responded by enacting various data protection laws. Read our two part series on the Schrems ii decision: part one, part two.
In Singapore, the Personal Data Protection Act of 2012 was created as a response to excessive and intrusive marketing activities. This act applies specifically to all companies that do business in Singapore but reflects the growing attention and regulation surrounding the need for enforcing the digital privacy of individuals.
Under the PDPA, protected data is any information that could be used to identify an individual. This includes full names, passport numbers, photographs, videos, personal telephone numbers, personal email addresses, residential addresses, DNA profiles, and biometrics — such as the voice recording of an individual. It is important to note that the act does not include business contact information, such as business email addresses and business telephone numbers.
The PDPA law applies to private businesses, but not government or public agencies, to allow the agencies to conduct essential legal matters and provide social services to individuals. The PDPA also does not apply to people and organizations handling protected information in a domestic or personal capacity. For instance, the collection of names and telephone numbers for a youth softball team would not be a violation of the PDPA.
The Singapore data law is designed to establish a baseline standard for the safeguarding of personal data within the country. It complements other regulations and laws that apply to specific sectors, such as the laws concerning privacy within the banking sector. Read about TripleBlind’s recent expansion to the Asian Pacific markets.
Responsibilities Under the Law
The intent of the PDPA is to prevent the misuse of personal information. The law also acts in the best interest of organizations, as it establishes a foundation of trust for business dealings. Thus, the law recognizes the importance of both individual privacy and the need for organizations to collect and use personal data for legitimate purposes.
Organizations that fall under the PDPA have nine types of responsibilities. These include:
- Receiving Consent. Organizations can only collect and use data from individuals who have given their explicit consent. This requires the development of policies and procedures that notify customers of data collection and request their consent. Organizations must also inform individuals of the ways that their data could be used. Individuals must also opt-in in order for their data to be collected under the law.
- Limiting Use. When an organization collects personal data, it may only use that data for purposes which have received consent. Any additional use requires additional consent.
- Notifying Individuals. In addition to notifying individuals when their data has been collected, organizations must also notify individuals in the event of a data breach.
- Allowing for Access and Correction. Individuals may request a copy of their personal information and if errors are found, the organization is obliged to correct them.
- Verifying Accuracy. If the collected data is going to be processed in a way that affects the individual or if the information will be disclosed to a third party, organizations must make reasonable efforts to make sure that the data is accurate.
- Providing Security. Organizations must also make reasonable efforts to safeguard their collected data and protect it from unauthorized access, manipulation, theft, and use. Security should include protection from both internal and external threats.
- Limiting Retention. Organizations are only allowed to retain data for as long as needed to meet explicit business purposes that were outlined at the time of collection.
- Limiting Transfer. Before an organization transfers protected data outside of the country or stores data in the cloud, it must ensure that the destination meets PDPA requirements.
- Providing Transparency. When an organization develops procedures and policies to protect PDPA information, it must make those measures publicly available on an official website.
Companies that do not meet the above obligations run the risk of receiving harsh penalties. Penalties can be imposed after a routine inspection reveals non-compliance. They can also be imposed after regulators receive a whistleblower complaint that triggers an investigation.
If non-compliance is uncovered, authorities may impose a financial penalty equivalent to 10% of annual turnover or $1 million, whichever is greater. Authorities may also direct non-compliant businesses to halt activities related to data collection, disclosure, or use. On some occasions, organizations may be instructed to delete all data related to non-compliance.
These penalties are administered after the fact. The leaking of personal data cannot be reversed. This could potentially result in the non-compliant organization being subjected to legal action.
Best Practices for Compliance
The policy should outline terms and conditions related to obtaining consent from customers and others from whom data will be collected. The policy should also outline ways in which people can access the data which has been collected, address any mistakes, withdraw their consent, and delete their data from the system. Finally, a policy should outline all the administrative, technical, and physical measures used to keep data secure. Measures should be put in place to ensure that data is automatically deleted after it is not in use.
How TripleBlind Can Help You Address Compliance Challenges
Whether your data partners are across town or across the globe, TripleBlind’s privacy-enhancing technology can help your company remain compliant with privacy regulations, including PDPA requirements. In fact, TripleBlind’s technology specifically addresses many of the law’s requirements:
- We can help limit use. With our technology, organizations can restrict use of their sensitive data to purposes for which have received consent.
- We can provide security. Our technology safeguards collected data from both internal and external threats, protecting it from unauthorized access, manipulation and theft.
- We can limit data transfer. Our technology ensures the transfer of protected data outside of the country meets PDPA requirements.
Contact us today to see our next-generation technology in action.